From 0881783917faabf8955e670a09787a5884e505f9 Mon Sep 17 00:00:00 2001
From: Rustan Leino <leino@amazon.com>
Date: Mon, 15 Aug 2022 16:42:45 -0700
Subject: [PATCH 01/15] snapshot

---
 Source/Dafny/AST/DafnyAst.cs                 |   2 +-
 Source/Dafny/Linter.cs                       |  51 +++++
 Source/Dafny/Resolver.cs                     |  16 +-
 Source/Dafny/Rewriter.cs                     |  10 +
 Source/Dafny/Triggers/TriggerUtils.cs        |   2 +-
 Test/VSComp2010/Problem4-Queens.dfy          |   1 -
 Test/dafny0/LabeledAsserts.dfy.expect        |   2 +
 Test/dafny0/LabelsOldAt.dfy.expect           |   1 +
 Test/dafny0/OpaqueTypeWithMembers.dfy        |   6 +-
 Test/dafny0/OpaqueTypeWithMembers.dfy.expect |   3 +
 Test/dafny0/Simple.dfy                       |   2 +-
 Test/dafny0/Simple.dfy.expect                |   1 +
 Test/dafny0/SmallTests.dfy.expect            |   2 +
 Test/dafny0/Twostate-Verification.dfy        |  46 ++--
 Test/dafny0/Twostate-Verification.dfy.expect |  23 ++
 Test/git-issues/git-issue-1989.dfy           | 225 +++++++++++++++++++
 16 files changed, 357 insertions(+), 36 deletions(-)
 create mode 100644 Source/Dafny/Linter.cs
 create mode 100644 Test/git-issues/git-issue-1989.dfy

diff --git a/Source/Dafny/AST/DafnyAst.cs b/Source/Dafny/AST/DafnyAst.cs
index 4e621620fc4..e08830d72b5 100644
--- a/Source/Dafny/AST/DafnyAst.cs
+++ b/Source/Dafny/AST/DafnyAst.cs
@@ -8746,7 +8746,7 @@ public TryRecoverStatement(Statement tryBody, IVariable haltMessageVar, Statemen
   // ------------------------------------------------------------------------------------------------------
 
   public abstract class TokenWrapper : IToken {
-    protected readonly IToken WrappedToken;
+    public readonly IToken WrappedToken;
     protected TokenWrapper(IToken wrappedToken) {
       Contract.Requires(wrappedToken != null);
       WrappedToken = wrappedToken;
diff --git a/Source/Dafny/Linter.cs b/Source/Dafny/Linter.cs
new file mode 100644
index 00000000000..e480c16205f
--- /dev/null
+++ b/Source/Dafny/Linter.cs
@@ -0,0 +1,51 @@
+//-----------------------------------------------------------------------------
+//
+// Copyright (C) Microsoft Corporation.  All Rights Reserved.
+// Copyright by the contributors to the Dafny Project
+// SPDX-License-Identifier: MIT
+//
+//-----------------------------------------------------------------------------
+using System.Collections.Generic;
+using System.Linq;
+using System.Reactive;
+
+namespace Microsoft.Dafny {
+
+  class Linter : IRewriter {
+    internal override void PostResolve(Program program) {
+      base.PostResolve(program);
+      foreach (var moduleDefinition in program.Modules()) {
+        foreach (var topLevelDecl in moduleDefinition.TopLevelDecls.OfType<TopLevelDeclWithMembers>()) {
+          foreach (var callable in topLevelDecl.Members.OfType<ICallable>()) {
+            var visitor = new LinterVisitor(this.Reporter);
+            visitor.Visit(callable, Unit.Default);
+          }
+        }
+      }
+    }
+
+    public Linter(ErrorReporter reporter) : base(reporter) {
+    }
+  }
+
+  class LinterVisitor : TopDownVisitor<Unit> {
+    private readonly ErrorReporter reporter;
+
+    public LinterVisitor(ErrorReporter reporter) {
+      this.reporter = reporter;
+    }
+
+    protected override bool VisitOneExpr(Expression expr, ref Unit st) {
+      if (expr is OldExpr oldExpr && !AutoGeneratedToken.Is(oldExpr.tok)) {
+        var fvs = new HashSet<IVariable>();
+        var usesHeap = false;
+        FreeVariablesUtil.ComputeFreeVariables(oldExpr.E, fvs, ref usesHeap);
+        if (!usesHeap) {
+          this.reporter.Warning(MessageSource.Rewriter, oldExpr.tok,
+            $"Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect");
+        }
+      }
+      return base.VisitOneExpr(expr, ref st);
+    }
+  }
+}
diff --git a/Source/Dafny/Resolver.cs b/Source/Dafny/Resolver.cs
index 64b8bf1ed1a..fa6686506eb 100644
--- a/Source/Dafny/Resolver.cs
+++ b/Source/Dafny/Resolver.cs
@@ -442,6 +442,8 @@ public void ResolveProgram(Program prog) {
         rewriters.Add(new ConstructorWarning(reporter));
       }
 
+      rewriters.Add(new Linter(reporter));
+
       foreach (var plugin in DafnyOptions.O.Plugins) {
         rewriters.AddRange(plugin.GetRewriters(reporter));
       }
@@ -10575,6 +10577,8 @@ void ResolveIterator(IteratorDecl iter) {
     void CreateIteratorMethodSpecs(IteratorDecl iter) {
       Contract.Requires(iter != null);
 
+      var tok = new AutoGeneratedToken(iter.tok);
+
       // ---------- here comes the constructor ----------
       // same requires clause as the iterator itself
       iter.Member_Init.Req.AddRange(iter.Requires);
@@ -10606,7 +10610,7 @@ void CreateIteratorMethodSpecs(IteratorDecl iter) {
       }
       ens.Add(new AttributedExpression(new BinaryExpr(iter.tok, BinaryExpr.Opcode.Eq,
         new MemberSelectExpr(iter.tok, new ThisExpr(iter.tok), "_reads"),
-        new OldExpr(iter.tok, frameSet))));
+        new OldExpr(tok, frameSet))));
       // ensures this._modifies == old(ModifiesClause);
       modSetSingletons = new List<Expression>();
       frameSet = new SetDisplayExpr(iter.tok, true, modSetSingletons);
@@ -10621,7 +10625,7 @@ void CreateIteratorMethodSpecs(IteratorDecl iter) {
       }
       ens.Add(new AttributedExpression(new BinaryExpr(iter.tok, BinaryExpr.Opcode.Eq,
         new MemberSelectExpr(iter.tok, new ThisExpr(iter.tok), "_modifies"),
-        new OldExpr(iter.tok, frameSet))));
+        new OldExpr(tok, frameSet))));
       // ensures this._new == {};
       ens.Add(new AttributedExpression(new BinaryExpr(iter.tok, BinaryExpr.Opcode.Eq,
         new MemberSelectExpr(iter.tok, new ThisExpr(iter.tok), "_new"),
@@ -10632,7 +10636,7 @@ void CreateIteratorMethodSpecs(IteratorDecl iter) {
         var p = iter.Decreases.Expressions[i];
         ens.Add(new AttributedExpression(new BinaryExpr(iter.tok, BinaryExpr.Opcode.Eq,
           new MemberSelectExpr(iter.tok, new ThisExpr(iter.tok), iter.DecreasesFields[i].Name),
-          new OldExpr(iter.tok, p))));
+          new OldExpr(tok, p))));
       }
 
       // ---------- here comes predicate Valid() ----------
@@ -10658,7 +10662,7 @@ void CreateIteratorMethodSpecs(IteratorDecl iter) {
       ens.Add(new AttributedExpression(new FreshExpr(iter.tok,
         new BinaryExpr(iter.tok, BinaryExpr.Opcode.Sub,
           new MemberSelectExpr(iter.tok, new ThisExpr(iter.tok), "_new"),
-          new OldExpr(iter.tok, new MemberSelectExpr(iter.tok, new ThisExpr(iter.tok), "_new"))))));
+          new OldExpr(tok, new MemberSelectExpr(iter.tok, new ThisExpr(iter.tok), "_new"))))));
       // ensures null !in _new
       ens.Add(new AttributedExpression(new BinaryExpr(iter.tok, BinaryExpr.Opcode.NotIn,
         new LiteralExpr(iter.tok),
@@ -10675,9 +10679,9 @@ void CreateIteratorMethodSpecs(IteratorDecl iter) {
         var ys = iter.OutsHistoryFields[i];
         var ite = new ITEExpr(iter.tok, false, new IdentifierExpr(iter.tok, "more"),
           new BinaryExpr(iter.tok, BinaryExpr.Opcode.Add,
-            new OldExpr(iter.tok, new MemberSelectExpr(iter.tok, new ThisExpr(iter.tok), ys.Name)),
+            new OldExpr(tok, new MemberSelectExpr(iter.tok, new ThisExpr(iter.tok), ys.Name)),
             new SeqDisplayExpr(iter.tok, new List<Expression>() { new MemberSelectExpr(iter.tok, new ThisExpr(iter.tok), y.Name) })),
-          new OldExpr(iter.tok, new MemberSelectExpr(iter.tok, new ThisExpr(iter.tok), ys.Name)));
+          new OldExpr(tok, new MemberSelectExpr(iter.tok, new ThisExpr(iter.tok), ys.Name)));
         var eq = new BinaryExpr(iter.tok, BinaryExpr.Opcode.Eq, new MemberSelectExpr(iter.tok, new ThisExpr(iter.tok), ys.Name), ite);
         ens.Add(new AttributedExpression(eq));
       }
diff --git a/Source/Dafny/Rewriter.cs b/Source/Dafny/Rewriter.cs
index a549d819b37..6b8350077d7 100644
--- a/Source/Dafny/Rewriter.cs
+++ b/Source/Dafny/Rewriter.cs
@@ -121,6 +121,16 @@ public AutoGeneratedToken(IToken wrappedToken)
       : base(wrappedToken) {
       Contract.Requires(wrappedToken != null);
     }
+
+    public static bool Is(IToken tok) {
+      while (tok is TokenWrapper w) {
+        if (w is AutoGeneratedToken) {
+          return true;
+        }
+        tok = w.WrappedToken;
+      }
+      return false;
+    }
   }
 
   public class TriggerGeneratingRewriter : IRewriter {
diff --git a/Source/Dafny/Triggers/TriggerUtils.cs b/Source/Dafny/Triggers/TriggerUtils.cs
index eb4898378f1..6f0c6f21c2c 100644
--- a/Source/Dafny/Triggers/TriggerUtils.cs
+++ b/Source/Dafny/Triggers/TriggerUtils.cs
@@ -286,7 +286,7 @@ internal static IEnumerable<Expression> MaybeWrapInOld(Expression expr, HashSet<
       Contract.Requires(wrap == null || wrap.Count != 0);
       if (wrap != null && !(expr is NameSegment) && !(expr is IdentifierExpr)) {
         foreach (var w in wrap) {
-          var newExpr = new OldExpr(expr.tok, expr, w.At) { AtLabel = w.AtLabel };
+          var newExpr = new OldExpr(new AutoGeneratedToken(expr.tok), expr, w.At) { AtLabel = w.AtLabel };
           newExpr.Type = expr.Type;
           yield return newExpr;
         }
diff --git a/Test/VSComp2010/Problem4-Queens.dfy b/Test/VSComp2010/Problem4-Queens.dfy
index 3d676f06dcc..02dabbcd57f 100644
--- a/Test/VSComp2010/Problem4-Queens.dfy
+++ b/Test/VSComp2010/Problem4-Queens.dfy
@@ -74,7 +74,6 @@ method SearchAux(N: int, boardSoFar: seq<int>) returns (success: bool, newBoard:
                   boardSoFar <= B
                   ==>
                   (exists p :: 0 <= p && p < N && !IsConsistent(B, p)));
-  ensures (forall B, p :: IsConsistent(B, p) <==> old(IsConsistent(B, p)));
   decreases N - |boardSoFar|;
 {
   var pos := |boardSoFar|;
diff --git a/Test/dafny0/LabeledAsserts.dfy.expect b/Test/dafny0/LabeledAsserts.dfy.expect
index 62dff815b92..508bd8a60ae 100644
--- a/Test/dafny0/LabeledAsserts.dfy.expect
+++ b/Test/dafny0/LabeledAsserts.dfy.expect
@@ -1,3 +1,5 @@
+LabeledAsserts.dfy(63,9): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+LabeledAsserts.dfy(63,30): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
 LabeledAsserts.dfy(25,11): Error: assertion might not hold
 LabeledAsserts.dfy(27,18): Error: assertion might not hold
 LabeledAsserts.dfy(28,18): Error: assertion might not hold
diff --git a/Test/dafny0/LabelsOldAt.dfy.expect b/Test/dafny0/LabelsOldAt.dfy.expect
index fdce8098d24..d00a750700a 100644
--- a/Test/dafny0/LabelsOldAt.dfy.expect
+++ b/Test/dafny0/LabelsOldAt.dfy.expect
@@ -1,3 +1,4 @@
+LabelsOldAt.dfy(160,13): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
 LabelsOldAt.dfy(34,13): Error: assertion might not hold
 LabelsOldAt.dfy(56,11): Error: assertion might not hold
 LabelsOldAt.dfy(78,13): Error: assertion might not hold
diff --git a/Test/dafny0/OpaqueTypeWithMembers.dfy b/Test/dafny0/OpaqueTypeWithMembers.dfy
index aec2a4b7e96..4452fcc06c9 100644
--- a/Test/dafny0/OpaqueTypeWithMembers.dfy
+++ b/Test/dafny0/OpaqueTypeWithMembers.dfy
@@ -23,7 +23,7 @@ type Opaque {
     ensures old(a[3] + y) == y
   {
     u := old(y + a[3]);
-    var f := old(F());
+    var f := old(F()); // warning: old has no effect (since F has no reads clause)
     var u' := y + a[3];
     var f' := F();
   }
@@ -61,7 +61,7 @@ type StaticOpaque {
     ensures old(a[3] + y) == y
   {
     u := old(y + a[3]);
-    var f := old(F());
+    var f := old(F()); // warning: old has no effect (since F has no reads clause)
     var u' := y + a[3];
     var f' := F();
   }
@@ -91,7 +91,7 @@ type OpaqueErrors {
     ensures old(a[3] + y) == y
   {
     u := old(y + a[2]);  // error: index out of bounds
-    var f := old(F());
+    var f := old(F()); // warning: old has no effect (since F has no reads clause)
     var u' := y + a[2];
     var f' := F();
   }
diff --git a/Test/dafny0/OpaqueTypeWithMembers.dfy.expect b/Test/dafny0/OpaqueTypeWithMembers.dfy.expect
index 8d29e6e1bda..558bacdaaac 100644
--- a/Test/dafny0/OpaqueTypeWithMembers.dfy.expect
+++ b/Test/dafny0/OpaqueTypeWithMembers.dfy.expect
@@ -1,3 +1,6 @@
+OpaqueTypeWithMembers.dfy(26,13): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+OpaqueTypeWithMembers.dfy(64,13): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+OpaqueTypeWithMembers.dfy(94,13): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
 OpaqueTypeWithMembers.dfy(83,36): Error: possible division by zero
 OpaqueTypeWithMembers.dfy(84,51): Error: possible division by zero
 OpaqueTypeWithMembers.dfy(87,9): Error: index out of range
diff --git a/Test/dafny0/Simple.dfy b/Test/dafny0/Simple.dfy
index 6fdd7bc3530..b56282d2370 100644
--- a/Test/dafny0/Simple.dfy
+++ b/Test/dafny0/Simple.dfy
@@ -11,7 +11,7 @@ class MyClass<T,U> {
     requires s;
     modifies this, lotsaObjects;
     ensures t == t;
-    ensures old(null) != this;
+    ensures old(null) != this; // warning: old(null) is the same as null
   {
     x := 12;
     while (x < 100)
diff --git a/Test/dafny0/Simple.dfy.expect b/Test/dafny0/Simple.dfy.expect
index 54a1bc8c277..1e90daa15d3 100644
--- a/Test/dafny0/Simple.dfy.expect
+++ b/Test/dafny0/Simple.dfy.expect
@@ -105,5 +105,6 @@ greatest lemma M'(x': int)
   ensures true
 {
 }
+Simple.dfy(14,12): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
 
 Dafny program verifier did not attempt verification
diff --git a/Test/dafny0/SmallTests.dfy.expect b/Test/dafny0/SmallTests.dfy.expect
index 5f0e952f225..a5be04cf8c8 100644
--- a/Test/dafny0/SmallTests.dfy.expect
+++ b/Test/dafny0/SmallTests.dfy.expect
@@ -1,4 +1,5 @@
 SmallTests.dfy(548,4): Warning: /!\ No trigger covering all quantified variables found.
+SmallTests.dfy(599,12): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
 SmallTests.dfy(909,14): Error: target object might be null
 SmallTests.dfy(901,14): Error: target object might be null
 SmallTests.dfy(34,11): Error: index out of range
@@ -54,5 +55,6 @@ SmallTests.dfy(716,8): Error: cannot establish the existence of LHS values that
 
 Dafny program verifier finished with 56 verified, 48 errors
 SmallTests.dfy.tmp.dprint.dfy(450,4): Warning: /!\ No trigger covering all quantified variables found.
+SmallTests.dfy.tmp.dprint.dfy(803,12): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
 
 Dafny program verifier did not attempt verification
diff --git a/Test/dafny0/Twostate-Verification.dfy b/Test/dafny0/Twostate-Verification.dfy
index 357439c7adb..d20cf1dc66e 100644
--- a/Test/dafny0/Twostate-Verification.dfy
+++ b/Test/dafny0/Twostate-Verification.dfy
@@ -30,7 +30,7 @@ class A {
   }
 
   twostate lemma L2(a: A, b: A)
-    requires old(a != b)
+    requires old(a != b) // warning: old has no effect
   {}
 
   twostate lemma L3(a: A, new b: A)
@@ -653,33 +653,33 @@ module TwoStateAt {
     label Label:
 
     if * {
-      ghost var f0 := old(d0.value);
-      ghost var f1 := old(nt.value);
-      ghost var f2 := old(ot.value);
-      ghost var f3 := old(d1.value);  // error: receiver is not in old state
+      ghost var f0 := old(d0.value); // warning: old has no effect
+      ghost var f1 := old(nt.value); // warning: old has no effect
+      ghost var f2 := old(ot.value); // warning: old has no effect
+      ghost var f3 := old(d1.value);  // error: receiver is not in old state (warning: old has no effect)
     } else if * {
-      ghost var g0 := old(DT<Cell>.sc);
-      ghost var g1 := old(NT.sc);
-      ghost var g2 := old(OT<Cell>.sc);
+      ghost var g0 := old(DT<Cell>.sc); // warning: old has no effect
+      ghost var g1 := old(NT.sc); // warning: old has no effect
+      ghost var g2 := old(OT<Cell>.sc); // warning: old has no effect
     } else if * {
-      ghost var h0 := old(d0.sc);
-      ghost var h1 := old(nt.sc);
-      ghost var h2 := old(ot.sc);
-      ghost var h3 := old(d1.sc);  // this is also fine
+      ghost var h0 := old(d0.sc); // warning: old has no effect
+      ghost var h1 := old(nt.sc); // warning: old has no effect
+      ghost var h2 := old(ot.sc); // warning: old has no effect
+      ghost var h3 := old(d1.sc);  // this is also fine (warning: old has no effect)
     } else if * {
-      ghost var f0 := old@Label(d0.value);
-      ghost var f1 := old@Label(nt.value);
-      ghost var f2 := old@Label(ot.value);
-      ghost var f3 := old@Label(d1.value);  // fine
+      ghost var f0 := old@Label(d0.value); // warning: old has no effect
+      ghost var f1 := old@Label(nt.value); // warning: old has no effect
+      ghost var f2 := old@Label(ot.value); // warning: old has no effect
+      ghost var f3 := old@Label(d1.value);  // fine (warning: old has no effect)
     } else if * {
-      ghost var g0 := old@Label(DT<Cell>.sc);
-      ghost var g1 := old@Label(NT.sc);
-      ghost var g2 := old@Label(OT<Cell>.sc);
+      ghost var g0 := old@Label(DT<Cell>.sc); // warning: old has no effect
+      ghost var g1 := old@Label(NT.sc); // warning: old has no effect
+      ghost var g2 := old@Label(OT<Cell>.sc); // warning: old has no effect
     } else if * {
-      ghost var h0 := old@Label(d0.sc);
-      ghost var h1 := old@Label(nt.sc);
-      ghost var h2 := old@Label(ot.sc);
-      ghost var h3 := old@Label(d1.sc);
+      ghost var h0 := old@Label(d0.sc); // warning: old has no effect
+      ghost var h1 := old@Label(nt.sc); // warning: old has no effect
+      ghost var h2 := old@Label(ot.sc); // warning: old has no effect
+      ghost var h3 := old@Label(d1.sc); // warning: old has no effect
     }
   }
 }
diff --git a/Test/dafny0/Twostate-Verification.dfy.expect b/Test/dafny0/Twostate-Verification.dfy.expect
index d627df2ecb2..8815ae6a4e1 100644
--- a/Test/dafny0/Twostate-Verification.dfy.expect
+++ b/Test/dafny0/Twostate-Verification.dfy.expect
@@ -1,3 +1,26 @@
+Twostate-Verification.dfy(656,22): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+Twostate-Verification.dfy(657,22): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+Twostate-Verification.dfy(658,22): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+Twostate-Verification.dfy(659,22): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+Twostate-Verification.dfy(661,22): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+Twostate-Verification.dfy(662,22): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+Twostate-Verification.dfy(663,22): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+Twostate-Verification.dfy(665,22): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+Twostate-Verification.dfy(666,22): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+Twostate-Verification.dfy(667,22): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+Twostate-Verification.dfy(668,22): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+Twostate-Verification.dfy(670,22): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+Twostate-Verification.dfy(671,22): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+Twostate-Verification.dfy(672,22): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+Twostate-Verification.dfy(673,22): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+Twostate-Verification.dfy(675,22): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+Twostate-Verification.dfy(676,22): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+Twostate-Verification.dfy(677,22): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+Twostate-Verification.dfy(679,22): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+Twostate-Verification.dfy(680,22): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+Twostate-Verification.dfy(681,22): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+Twostate-Verification.dfy(682,22): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+Twostate-Verification.dfy(33,13): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
 Twostate-Verification.dfy(271,13): Error: A postcondition might not hold on this return path.
 Twostate-Verification.dfy(263,24): Related location: This is the postcondition that might not hold.
 Twostate-Verification.dfy(277,4): Error: A postcondition might not hold on this return path.
diff --git a/Test/git-issues/git-issue-1989.dfy b/Test/git-issues/git-issue-1989.dfy
new file mode 100644
index 00000000000..afb50686b2a
--- /dev/null
+++ b/Test/git-issues/git-issue-1989.dfy
@@ -0,0 +1,225 @@
+// RUN: %dafny /compile:0 "%s" > "%t"
+// RUN: %diff "%s.expect" "%t"
+
+// ---------------------------------------
+
+module Test {
+  class C {
+  }
+
+  function arrSet(a: array<C>): set<object>
+    reads a
+  {
+    set i : int | 0 <= i < a.Length :: a[i]
+  }
+
+  method test(a: array<C>, i: int, x: C)
+    modifies a
+    requires 0 <= i < a.Length
+    requires x !in arrSet(a)
+  {
+    a[i] := x;
+    assert arrSet(a) == arrSet(old(a)); // warning: old has no effect
+  }
+}
+
+// ---------------------------------------
+
+predicate P(s: seq<int>)
+predicate Q(a: array<int>)
+  reads a
+
+class C {
+  var x: int
+
+  predicate PInClass(s: seq<int>)
+  static predicate StaticPInClass(s: seq<int>)
+
+  predicate QInClass(a: array<int>)
+    reads a
+  static predicate StaticQInClass(a: array<int>)
+    reads a
+
+  predicate R(y: int := x)
+    reads this
+}
+
+method TestsNoReads(c: C, s: seq<int>, a: array<int>) {
+  ghost var b;
+  b := old(P(s)); // warning: old has no effect
+  b := old(c.PInClass(s)); // warning: old has no effect
+  b := old(C.StaticPInClass(s)); // warning: old has no effect
+  b := old(c.StaticPInClass(s)); // warning: old has no effect
+
+  b := old(Q(a));
+  b := old(c.QInClass(a));
+  b := old(C.StaticQInClass(a));
+  b := old(c.StaticQInClass(a));
+
+  b := old(c.R(3));
+  b := old(c.R());
+}
+
+method Trigger()
+  // The following should generate a warning, but preferably not two.
+  // That is, if the old expression is copied into the trigger, it
+  // is preferable that there's not a second warning for the 'old' there.
+  ensures forall s :: P(s) == old(P(s)) // warning: old has no effect
+
+  // A manually supplied trigger should have its own warning, though:
+  ensures forall s {:trigger old(P(s))} :: P(s) == old(P(s)) // warning (x2): old has no effect
+{
+}
+
+// An iterator has several auto-generated old expressions.
+// These should not generate any warnings.
+iterator Iter()
+{
+}
+
+// ---------------------------------------
+
+class D {
+  var data: int
+  const N: int
+  var arr: array<real>
+
+  method TestFields()
+    ensures data == old(data)
+    ensures N == old(N) // warning: old has no effect
+  {
+  }
+
+  method TestArrayElements(j: nat, a: array<real>)
+    requires j < a.Length
+    ensures a.Length == old(a.Length) // warning: old has no effect
+    ensures a[j] == old(a[j])
+    ensures a[j] == old(a)[j] // warning: old has no effect
+    ensures a[j] == a[old(j)] // warning: old has no effect
+  {
+  }
+
+  method MoreArrays(b: array<real>)
+    requires 0 <= data && data + 1 < arr.Length == b.Length
+    requires 1.0 <= arr[data] < arr[data + 1] < 2.0
+    requires 4.0 <= b[data] < b[data + 1] < 5.0
+    modifies this, arr
+    ensures arr == b && data == old(data) + 1
+    ensures arr[data] != old(arr[data])
+    ensures arr[data] != old(arr)[data]
+    ensures arr[data] != arr[old(data)]
+    ensures var a, j := arr, data; old(arr[data]) != old(a[j])
+  {
+    forall i | 0 <= i < arr.Length {
+      arr[i] := 2.0 * arr[i];
+    }
+    arr := b;
+    data := data + 1;
+  }
+
+  method TestMatrixElements(i: nat, j: nat, m: array2<real>)
+    requires i < m.Length0 && j < m.Length1
+    ensures m.Length0 == old(m.Length1) // warning: old has no effect
+    ensures m[i, j] == old(m[i, j])
+    ensures m[i, j] == old(m)[i, j] // warning: old has no effect
+    ensures m[i, j] == m[i, old(j)] // warning: old has no effect
+  {
+  }
+
+  lemma Lemma(y: int)
+    requires data == y
+  {
+  }
+}
+
+// ---------------------------------------
+
+method StmtExpr(d: D)
+  requires d.data == 3
+  modifies d
+{
+  ghost var a;
+  d.data := 100;
+  if {
+  case true =>
+    a := assert d.data < 5; 10; // error: assertion failure
+  case true =>
+    a := old(20 + assert d.data < 5; 10);
+  case true =>
+    a := old(d.Lemma(3); 10);
+  case true =>
+    a := old(d.Lemma(100); 10); // error: precondition violation
+  case true =>
+    a := (d.Lemma(old(100)); 10); // warning: old has no effect
+  }
+  a := assert d.data < old(105); 0; // warning: old has no effect
+}
+
+method CalcStmtExpr(d: D)
+  requires d.data == 3
+  modifies d
+{
+  ghost var a;
+  d.data := 100;
+  if {
+  case true =>
+    a := old(calc { } 10); // warning: old has no effect (but this is hard to determine)
+  case true =>
+    a := old(calc {
+      2;
+    ==  { assert d.data == 3; }
+      2;
+    } 10); // warning: old has no effect
+  case true =>
+    a := old(calc {
+      2;
+    ==  { assert d.data == 100; } // error: assertion violation
+      2;
+    } 10); // warning: old has no effect
+  case true =>
+    a := old(calc {
+      2;
+    ==  { d.Lemma(3); }
+      2;
+    } 10); // warning: old has no effect
+  case true =>
+    a := old(calc {
+      2;
+    ==  { d.Lemma(100); } // error: precondition violation
+      2;
+    } 10); // warning: old has no effect
+  }
+}
+
+twostate function CalcStmtExprFunction(d: D, selector: int): int
+  requires old(d.data) == 3 && d.data == 100
+{
+  match selector
+  case 0 =>
+    old(calc { } 10) // warning: old has no effect (but this is hard to determine)
+  case 1 =>
+    a := old(calc {
+      2;
+    ==  { assert d.data == 3; }
+      2;
+    } 10); // warning: old has no effect
+  case 2 =>
+    a := old(calc {
+      2;
+    ==  { assert d.data == 100; } // error: assertion violation
+      2;
+    } 10); // warning: old has no effect
+  case true =>
+    a := old(calc {
+      2;
+    ==  { d.Lemma(3); }
+      2;
+    } 10); // warning: old has no effect
+  case true =>
+    a := old(calc {
+      2;
+    ==  { d.Lemma(100); } // error: precondition violation
+      2;
+    } 10); // warning: old has no effect
+  }
+}

From a341eca079f20c033bdb6c237790f747b89b2ea7 Mon Sep 17 00:00:00 2001
From: Rustan Leino <leino@amazon.com>
Date: Wed, 17 Aug 2022 09:23:02 -0700
Subject: [PATCH 02/15] Enhance two-state detection in resolver

---
 Source/Dafny/Resolver.cs                      | 22 ++++--
 Test/git-issues/git-issue-2597-resolution.dfy | 69 +++++++++++++++++++
 .../git-issue-2597-resolution.dfy.expect      | 10 +++
 3 files changed, 95 insertions(+), 6 deletions(-)
 create mode 100644 Test/git-issues/git-issue-2597-resolution.dfy
 create mode 100644 Test/git-issues/git-issue-2597-resolution.dfy.expect

diff --git a/Source/Dafny/Resolver.cs b/Source/Dafny/Resolver.cs
index 64b8bf1ed1a..c29bdccdf48 100644
--- a/Source/Dafny/Resolver.cs
+++ b/Source/Dafny/Resolver.cs
@@ -9152,8 +9152,11 @@ bool InferRequiredEqualitySupport(TypeParameter tp, Type type) {
     readonly Scope<IVariable>/*!*/ scope = new Scope<IVariable>();
     Scope<Statement>/*!*/ enclosingStatementLabels = new Scope<Statement>();
     readonly Scope<Label>/*!*/ dominatingStatementLabels = new Scope<Label>();
+    private bool inOneStateStatementContext = false; // usually, statements are two-state contexts, but there are exceptions (StmtExpr in one-state expression)
     List<Statement> loopStack = new List<Statement>();  // the enclosing loops (from which it is possible to break out)
 
+    public bool IsTwoStateContext(ResolveOpts opts) => opts.twoState && !inOneStateStatementContext;
+
     /// <summary>
     /// Resolves the types along .ParentTraits and fills in .ParentTraitHeads
     /// </summary>
@@ -11081,7 +11084,7 @@ public void ResolveStatement(Statement stmt, ICodeContext codeContext) {
               var methodCallInfo = ResolveApplySuffix(e, opts, true);
               if (methodCallInfo == null) {
                 reporter.Error(MessageSource.Resolver, expr.tok, "expression has no reveal lemma");
-              } else if (methodCallInfo.Callee.Member is TwoStateLemma && !opts.twoState) {
+              } else if (methodCallInfo.Callee.Member is TwoStateLemma && !IsTwoStateContext(opts)) {
                 reporter.Error(MessageSource.Resolver, methodCallInfo.Tok, "a two-state function can only be revealed in a two-state context");
               } else if (methodCallInfo.Callee.AtLabel != null) {
                 Contract.Assert(methodCallInfo.Callee.Member is TwoStateLemma);
@@ -14831,7 +14834,7 @@ public void ResolveExpressionX(Expression expr, ResolveOpts opts) {
         } else if (member is Function) {
           var fn = member as Function;
           e.Member = fn;
-          if (fn is TwoStateFunction && !opts.twoState) {
+          if (fn is TwoStateFunction && !IsTwoStateContext(opts)) {
             reporter.Error(MessageSource.Resolver, e.tok, "a two-state function can be used only in a two-state context");
           }
           // build the type substitution map
@@ -15397,16 +15400,23 @@ public void ResolveExpressionX(Expression expr, ResolveOpts opts) {
       } else if (expr is StmtExpr) {
         var e = (StmtExpr)expr;
         int prevErrorCount = reporter.Count(ErrorLevel.Error);
+
+        var previousInOneStateStatementContext = inOneStateStatementContext;
+        if (!IsTwoStateContext(opts)) {
+          inOneStateStatementContext = true;
+        }
         ResolveStatement(e.S, opts.codeContext);
         if (reporter.Count(ErrorLevel.Error) == prevErrorCount) {
           var r = e.S as UpdateStmt;
           if (r != null && r.ResolvedStatements.Count == 1) {
             var call = r.ResolvedStatements[0] as CallStmt;
-            if (call.Method is TwoStateLemma && !opts.twoState) {
+            if (call.Method is TwoStateLemma && !IsTwoStateContext(opts)) {
               reporter.Error(MessageSource.Resolver, call, "two-state lemmas can only be used in two-state contexts");
             }
           }
         }
+        inOneStateStatementContext = previousInOneStateStatementContext;
+
         ResolveExpression(e.E, opts);
         Contract.Assert(e.E.Type != null);  // follows from postcondition of ResolveExpression
         expr.Type = e.E.Type;
@@ -15449,7 +15459,7 @@ public void ResolveExpressionX(Expression expr, ResolveOpts opts) {
       Contract.Requires(opts != null);
 
       Label label = null;
-      if (!opts.twoState) {
+      if (!IsTwoStateContext(opts)) {
         reporter.Error(MessageSource.Resolver, tok, $"{expressionDescription} expressions are not allowed in this context");
       } else if (labelName != null) {
         label = dominatingStatementLabels.Find(labelName);
@@ -16678,7 +16688,7 @@ Expression ResolveExprDotCall(IToken tok, Expression receiver, Type receiverType
         AddCallGraphEdgeForField(opts.codeContext, field, rr);
       } else if (member is Function) {
         var fn = (Function)member;
-        if (fn is TwoStateFunction && !opts.twoState) {
+        if (fn is TwoStateFunction && !IsTwoStateContext(opts)) {
           reporter.Error(MessageSource.Resolver, tok, "two-state function ('{0}') can only be called in a two-state context", member.Name);
         }
         int suppliedTypeArguments = optTypeArguments == null ? 0 : optTypeArguments.Count;
@@ -17218,7 +17228,7 @@ public void ResolveFunctionCallExpr(FunctionCallExpr e, ResolveOpts opts) {
         if (function is ExtremePredicate) {
           ((ExtremePredicate)function).Uses.Add(e);
         }
-        if (function is TwoStateFunction && !opts.twoState) {
+        if (function is TwoStateFunction && !IsTwoStateContext(opts)) {
           reporter.Error(MessageSource.Resolver, e.tok, "a two-state function can be used only in a two-state context");
         }
         if (e.Receiver is StaticReceiverExpr && !function.IsStatic) {
diff --git a/Test/git-issues/git-issue-2597-resolution.dfy b/Test/git-issues/git-issue-2597-resolution.dfy
new file mode 100644
index 00000000000..486cfbef76d
--- /dev/null
+++ b/Test/git-issues/git-issue-2597-resolution.dfy
@@ -0,0 +1,69 @@
+// RUN: %dafny_0 /compile:0 "%s" > "%t"
+// RUN: %diff "%s.expect" "%t"
+
+class C {
+  var data: int
+
+  method ResolutionIssues()
+    requires old(data) == 3 // error: 'old' not allowed in this context
+    requires calc { 0; { var d := old(data); } 0; } true // error: 'old' not allowed in this context
+  {
+    var a := old(5 + old(data)); // error: 'old' not allowed inside another 'old
+
+    var b := 5 +
+      calc {
+        0;
+      ==  { var a := old(data); }
+        0;
+      }
+      0;
+
+    var c := old(5 +
+      calc {
+        0;
+      ==  { var a := old(data); } // error: 'old' not allowed inside another 'old
+        0;
+      }
+      0
+      );
+  }
+
+  method CallTwostate(u: int)
+    requires F2(u) == u // error: twostate function not allowed in this context
+    requires calc {
+        0;
+      ==  { assert F2(u) == u; } // error: twostate function not allowed in this context
+        0;
+      }
+      true
+  {
+    var a := old(5 + F2(u)); // error: twostate function not allowed inside 'old
+
+    var b := 5 +
+      calc {
+        0;
+      ==  { var a := F2(u); }
+        0;
+      }
+      0;
+
+    var c := old(5 +
+      calc {
+        0;
+      ==  { var a := F2(u); } // error: twostate function not allowed inside 'old
+        0;
+      }
+      0
+      );
+  }
+
+  function F(u: int): int {
+    5 +
+    assert F2(u) == u; // error: twostate function not allowed in this context
+    u
+  }
+
+  twostate function F2(u: int): int {
+    u
+  }
+}
diff --git a/Test/git-issues/git-issue-2597-resolution.dfy.expect b/Test/git-issues/git-issue-2597-resolution.dfy.expect
new file mode 100644
index 00000000000..d276bd8ec9e
--- /dev/null
+++ b/Test/git-issues/git-issue-2597-resolution.dfy.expect
@@ -0,0 +1,10 @@
+git-issue-2597-resolution.dfy(8,13): Error: old expressions are not allowed in this context
+git-issue-2597-resolution.dfy(9,34): Error: old expressions are not allowed in this context
+git-issue-2597-resolution.dfy(11,21): Error: old expressions are not allowed in this context
+git-issue-2597-resolution.dfy(24,21): Error: old expressions are not allowed in this context
+git-issue-2597-resolution.dfy(32,13): Error: two-state function ('F2') can only be called in a two-state context
+git-issue-2597-resolution.dfy(35,19): Error: two-state function ('F2') can only be called in a two-state context
+git-issue-2597-resolution.dfy(40,21): Error: two-state function ('F2') can only be called in a two-state context
+git-issue-2597-resolution.dfy(53,21): Error: two-state function ('F2') can only be called in a two-state context
+git-issue-2597-resolution.dfy(62,11): Error: two-state function ('F2') can only be called in a two-state context
+9 resolution/type errors detected in git-issue-2597-resolution.dfy

From c35603d56c29328e290a807d83f9f9d7879d60f0 Mon Sep 17 00:00:00 2001
From: Rustan Leino <leino@amazon.com>
Date: Wed, 17 Aug 2022 09:23:32 -0700
Subject: [PATCH 03/15] chore: Improve code to use modern C#

---
 Source/Dafny/Verifier/Translator.TrStatement.cs | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/Source/Dafny/Verifier/Translator.TrStatement.cs b/Source/Dafny/Verifier/Translator.TrStatement.cs
index 4331a7cbe8d..3d999bfa4a4 100644
--- a/Source/Dafny/Verifier/Translator.TrStatement.cs
+++ b/Source/Dafny/Verifier/Translator.TrStatement.cs
@@ -1609,10 +1609,9 @@ void TrCallStmt(CallStmt s, BoogieStmtListBuilder builder, List<Variable> locals
 
       List<AssignToLhs> lhsBuilders;
       List<Bpl.IdentifierExpr> bLhss;
-      Bpl.Expr[] ignore1, ignore2;
-      string[] ignore3;
       var tySubst = s.MethodSelect.TypeArgumentSubstitutionsWithParents();
-      ProcessLhss(s.Lhs, true, true, builder, locals, etran, out lhsBuilders, out bLhss, out ignore1, out ignore2, out ignore3, s.OriginalInitialLhs);
+      ProcessLhss(s.Lhs, true, true, builder, locals, etran, out lhsBuilders, out bLhss,
+        out _, out _, out _, s.OriginalInitialLhs);
       Contract.Assert(s.Lhs.Count == lhsBuilders.Count);
       Contract.Assert(s.Lhs.Count == bLhss.Count);
       var lhsTypes = new List<Type>();

From b50a6f8696e9385544a0ae98413a4b2452403a12 Mon Sep 17 00:00:00 2001
From: Rustan Leino <leino@amazon.com>
Date: Wed, 17 Aug 2022 09:58:02 -0700
Subject: [PATCH 04/15] fix: Use old heap in StmtExpr inside old

Fixes #2597
---
 Source/Dafny/Verifier/Translator.cs           |  30 ++++
 .../git-issue-2597-verification.dfy           | 142 ++++++++++++++++++
 .../git-issue-2597-verification.dfy.expect    |  19 +++
 3 files changed, 191 insertions(+)
 create mode 100644 Test/git-issues/git-issue-2597-verification.dfy
 create mode 100644 Test/git-issues/git-issue-2597-verification.dfy.expect

diff --git a/Source/Dafny/Verifier/Translator.cs b/Source/Dafny/Verifier/Translator.cs
index 295ac95757d..fab0df0f4b3 100644
--- a/Source/Dafny/Verifier/Translator.cs
+++ b/Source/Dafny/Verifier/Translator.cs
@@ -6260,7 +6260,37 @@ void CheckWellformedWithResult(Expression expr, WFOptions options, Bpl.Expr resu
 
       } else if (expr is StmtExpr) {
         var e = (StmtExpr)expr;
+        // If we're inside an "old" expression, then "etran" will know how to translate
+        // expressions. However, here, we're also having to translate e.S, which is a
+        // Statement. Since statement translation (in particular, CallStmt's) works
+        // directly on the global variable $Heap, we change its value here.
+        // (Note, this would be a bad translation if the Statement could introduce
+        // control flow that would miss the "$Heap := tmpHeap;" assignment that
+        // resets the value of $Heap. Luckily, StmtExpr does not allow any such
+        // Statement.)
+        Bpl.IdentifierExpr tmpHeap = null;
+        Bpl.IdentifierExpr theHeap = null;
+        if (etran.UsesOldHeap) {
+          var suffix = CurrentIdGenerator.FreshId("StmtExpr#");
+          var tmpHeapVar = new Bpl.LocalVariable(e.S.Tok, new Bpl.TypedIdent(e.S.Tok, "Heap$" + suffix, predef.HeapType));
+          locals.Add(tmpHeapVar);
+          tmpHeap = new Bpl.IdentifierExpr(e.S.Tok, tmpHeapVar);
+          var generalEtran = new ExpressionTranslator(this, predef, e.S.Tok);
+          theHeap = (Bpl.IdentifierExpr /*TODO: this cast is dubious*/)generalEtran.HeapExpr;
+        }
+
+        if (tmpHeap != null) {
+          // tmpHeap := $Heap;
+          builder.Add(Bpl.Cmd.SimpleAssign(e.S.Tok, tmpHeap, theHeap));
+          // $Heap := etran.$Heap;
+          builder.Add(Bpl.Cmd.SimpleAssign(e.S.Tok, theHeap, etran.HeapExpr));
+        }
         TrStmt(e.S, builder, locals, etran);
+        if (tmpHeap != null) {
+          // $Heap := tmpHeap;
+          builder.Add(Bpl.Cmd.SimpleAssign(e.S.Tok, theHeap, tmpHeap));
+        }
+
         CheckWellformedWithResult(e.E, options, result, resultType, locals, builder, etran);
         result = null;
 
diff --git a/Test/git-issues/git-issue-2597-verification.dfy b/Test/git-issues/git-issue-2597-verification.dfy
new file mode 100644
index 00000000000..a7b8b2b4094
--- /dev/null
+++ b/Test/git-issues/git-issue-2597-verification.dfy
@@ -0,0 +1,142 @@
+// RUN: %dafny_0 /compile:0 "%s" > "%t"
+// RUN: %diff "%s.expect" "%t"
+
+class C {
+  var data: int
+
+  lemma DataIs(x: int)
+    requires data == x
+  {
+  }
+
+  method VerificationIssues()
+    requires data == 3
+    modifies this
+  {
+    data := 100;
+    ghost var x, y;
+    x := old(5 + assert data == 3; 0);
+    y := old(5 + (DataIs(3); 0));
+    assert x + y == 10;
+
+    x := 5 +
+      calc {
+        0;
+      ==  { DataIs(100); }
+        0;
+      ==  { DataIs(3); } // error: precondition violation
+        0;
+      }
+      0;
+    y := old(5 +
+      calc {
+        0;
+      ==  { DataIs(3); }
+        0;
+      ==  { DataIs(100); } // error: precondition violation
+        0;
+      }
+      0);
+    assert x + y == 10;
+
+    x := 5 +
+      assert data == 100 by {
+        DataIs(100);
+        if * {
+          DataIs(3); // error: precondition violation
+        }
+      }
+      0;
+    y := old(5 +
+      assert data == 3 by {
+        DataIs(3);
+        if * {
+          DataIs(100); // error: precondition violation
+        }
+      }
+      0);
+    assert x + y == 10;
+
+    DataIs(100); // this tests that the $Heap once again is the current one
+    assert false; // error: this statement is reachable
+  }
+
+  function {:opaque} OpaqueData(x: int): int
+    reads this
+  {
+    x + data
+  }
+
+  method Reveal(x: int)
+  {
+    if
+    case true =>
+      reveal OpaqueData();
+      assert OpaqueData(x) == x + data;
+    case true =>
+      assert OpaqueData(x) == x + data; // error: cannot prove, since OpaqueData is opaque
+    case true =>
+      assert reveal OpaqueData(); OpaqueData(x) == x + data;
+    case true =>
+      reveal OpaqueData();
+      assert old(OpaqueData(x)) == x + old(data);
+    case true =>
+      assert old(OpaqueData(x)) == x + old(data); // error: cannot prove, since OpaqueData is opaque
+    case true =>
+      assert old(reveal OpaqueData(); OpaqueData(x)) == x + old(data);
+  }
+
+  method Postconditions()
+    requires data == 3
+    modifies this
+    ensures old(97 +
+      calc {
+        0;
+      ==  { DataIs(3); }
+        0;
+      ==  { DataIs(100); } // error: precondition violation
+        0;
+      }
+      data) == data
+  {
+    data := 100;
+
+    var arr := new int[100](i => 8);
+/*    forall i | 0 <= i < arr.Length
+      ensures arr[i] == old(5 +
+        calc {
+          0;
+        ==  { DataIs(3); }
+          0;
+        ==  { DataIs(100); } // error: precondition violation
+          0;
+        }
+        data)
+    {
+    }
+*/
+    for i := 0 to arr.Length
+      invariant forall j :: 0 <= j < i ==> arr[j] == old(6 +
+        calc {
+          0;
+        ==  { DataIs(3); }
+          0;
+        ==  { DataIs(100); } // error: precondition violation
+          0;
+        }
+        data)
+      invariant forall j :: i <= j < arr.Length ==> arr[j] == old(5 +
+        calc {
+          0;
+        ==  { DataIs(3); }
+          0;
+        ==  { DataIs(100); } // error: precondition violation
+          0;
+        }
+        data)
+      modifies arr
+    {
+      arr[i] := arr[i] + 1;
+    }
+  }
+}
diff --git a/Test/git-issues/git-issue-2597-verification.dfy.expect b/Test/git-issues/git-issue-2597-verification.dfy.expect
new file mode 100644
index 00000000000..168faeb2014
--- /dev/null
+++ b/Test/git-issues/git-issue-2597-verification.dfy.expect
@@ -0,0 +1,19 @@
+git-issue-2597-verification.dfy(27,18): Error: A precondition for this call might not hold.
+git-issue-2597-verification.dfy(8,18): Related location: This is the precondition that might not hold.
+git-issue-2597-verification.dfy(36,18): Error: A precondition for this call might not hold.
+git-issue-2597-verification.dfy(8,18): Related location: This is the precondition that might not hold.
+git-issue-2597-verification.dfy(46,16): Error: A precondition for this call might not hold.
+git-issue-2597-verification.dfy(8,18): Related location: This is the precondition that might not hold.
+git-issue-2597-verification.dfy(54,16): Error: A precondition for this call might not hold.
+git-issue-2597-verification.dfy(8,18): Related location: This is the precondition that might not hold.
+git-issue-2597-verification.dfy(61,11): Error: assertion might not hold
+git-issue-2597-verification.dfy(77,27): Error: assertion might not hold
+git-issue-2597-verification.dfy(84,32): Error: assertion might not hold
+git-issue-2597-verification.dfy(97,18): Error: A precondition for this call might not hold.
+git-issue-2597-verification.dfy(8,18): Related location: This is the precondition that might not hold.
+git-issue-2597-verification.dfy(124,20): Error: A precondition for this call might not hold.
+git-issue-2597-verification.dfy(8,18): Related location: This is the precondition that might not hold.
+git-issue-2597-verification.dfy(133,20): Error: A precondition for this call might not hold.
+git-issue-2597-verification.dfy(8,18): Related location: This is the precondition that might not hold.
+
+Dafny program verifier finished with 1 verified, 10 errors

From 2dae005ddb52b0d616465de2c9b70cd8ee9667ad Mon Sep 17 00:00:00 2001
From: Rustan Leino <leino@amazon.com>
Date: Wed, 17 Aug 2022 11:56:11 -0700
Subject: [PATCH 05/15] fix: Check well-definedness of forall-ensures

Fixes #2605
---
 RELEASE_NOTES.md                                |  1 +
 Source/Dafny/Verifier/Translator.TrStatement.cs | 12 +++++++++---
 Test/git-issues/git-issue-2605.dfy              | 12 ++++++++++++
 Test/git-issues/git-issue-2605.dfy.expect       |  7 +++++++
 4 files changed, 29 insertions(+), 3 deletions(-)
 create mode 100644 Test/git-issues/git-issue-2605.dfy
 create mode 100644 Test/git-issues/git-issue-2605.dfy.expect

diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
index 39f98b93a65..bd0688cf9e3 100644
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -16,6 +16,7 @@
   (https://github.com/dafny-lang/dafny/pull/2522)
 - feat: `predicate P(x: int): (y: bool) ...` is now valid syntax (https://github.com/dafny-lang/dafny/pull/2454)
 - fix: Improve the performance of proofs involving bit vector shifts (https://github.com/dafny-lang/dafny/pull/2520)
+- fix: Perform well-definedness checks for ensures clauses of forall statements (https://github.com/dafny-lang/dafny/issues/2605)
 
 # 3.7.3
 
diff --git a/Source/Dafny/Verifier/Translator.TrStatement.cs b/Source/Dafny/Verifier/Translator.TrStatement.cs
index 4331a7cbe8d..73627bd280c 100644
--- a/Source/Dafny/Verifier/Translator.TrStatement.cs
+++ b/Source/Dafny/Verifier/Translator.TrStatement.cs
@@ -993,9 +993,9 @@ void TrForallProof(ForallStmt s, BoogieStmtListBuilder definedness, BoogieStmtLi
       //     havoc x,y;
       //     CheckWellformed( Range );
       //     assume Range(x,y);
-      //     Tr( Body );
       //     CheckWellformed( Post );
-      //     assert Post;
+      //     Tr( Body );       // include only if there is a Body
+      //     assert Post;      // include only if there is a Body
       //     assume false;
       //   } else {
       //     assume (forall x,y :: Range(x,y) ==> Post(x,y));
@@ -1022,12 +1022,18 @@ void TrForallProof(ForallStmt s, BoogieStmtListBuilder definedness, BoogieStmtLi
       TrStmt_CheckWellformed(s.Range, definedness, locals, etran, false);
       definedness.Add(TrAssumeCmd(s.Range.tok, etran.TrExpr(s.Range)));
 
+      var ensuresDefinedness = new BoogieStmtListBuilder(this);
+      foreach (var ens in s.Ens) {
+        TrStmt_CheckWellformed(ens.E, ensuresDefinedness, locals, etran, false);
+        ensuresDefinedness.Add(TrAssumeCmd(ens.E.tok, etran.TrExpr(ens.E)));
+      }
+      PathAsideBlock(s.Tok, ensuresDefinedness, definedness);
+
       if (s.Body != null) {
         TrStmt(s.Body, definedness, locals, etran);
 
         // check that postconditions hold
         foreach (var ens in s.Ens) {
-
           bool splitHappened;  // we actually don't care
           foreach (var split in TrSplitExpr(ens.E, etran, true, out splitHappened)) {
             if (split.IsChecked) {
diff --git a/Test/git-issues/git-issue-2605.dfy b/Test/git-issues/git-issue-2605.dfy
new file mode 100644
index 00000000000..395dcb72279
--- /dev/null
+++ b/Test/git-issues/git-issue-2605.dfy
@@ -0,0 +1,12 @@
+// RUN: %dafny_0 /compile:0 "%s" > "%t"
+// RUN: %diff "%s.expect" "%t"
+
+method M(a: array<int>, j: int) {
+  forall n | 0 <= n < 100
+    ensures n / 0 == n / 0 // error (x2): division by zero
+    ensures a[j] == a[j] // error (x2): array index out of bounds    
+  {
+    assert false; // error
+  }
+  assert false; // error
+}
diff --git a/Test/git-issues/git-issue-2605.dfy.expect b/Test/git-issues/git-issue-2605.dfy.expect
new file mode 100644
index 00000000000..2c8cc2e51ad
--- /dev/null
+++ b/Test/git-issues/git-issue-2605.dfy.expect
@@ -0,0 +1,7 @@
+git-issue-2605.dfy(6,14): Error: possible division by zero
+git-issue-2605.dfy(6,23): Error: possible division by zero
+git-issue-2605.dfy(7,13): Error: index out of range
+git-issue-2605.dfy(7,21): Error: index out of range
+git-issue-2605.dfy(9,11): Error: assertion might not hold
+
+Dafny program verifier finished with 0 verified, 5 errors

From ad59a9c0e3838f5a0fc445d0f848652a5809a85e Mon Sep 17 00:00:00 2001
From: Rustan Leino <leino@amazon.com>
Date: Wed, 17 Aug 2022 12:03:20 -0700
Subject: [PATCH 06/15] Update PR number in release notes

---
 RELEASE_NOTES.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
index bd0688cf9e3..3ca0ce678e6 100644
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -16,7 +16,7 @@
   (https://github.com/dafny-lang/dafny/pull/2522)
 - feat: `predicate P(x: int): (y: bool) ...` is now valid syntax (https://github.com/dafny-lang/dafny/pull/2454)
 - fix: Improve the performance of proofs involving bit vector shifts (https://github.com/dafny-lang/dafny/pull/2520)
-- fix: Perform well-definedness checks for ensures clauses of forall statements (https://github.com/dafny-lang/dafny/issues/2605)
+- fix: Perform well-definedness checks for ensures clauses of forall statements (https://github.com/dafny-lang/dafny/pull/2606)
 
 # 3.7.3
 

From d819bf1a437b68fcce60d1bae6a368775dc379c5 Mon Sep 17 00:00:00 2001
From: Rustan Leino <leino@amazon.com>
Date: Wed, 17 Aug 2022 12:11:19 -0700
Subject: [PATCH 07/15] Add test, now that 2605 is fixed

---
 Test/git-issues/git-issue-2597-verification.dfy        | 4 ++--
 Test/git-issues/git-issue-2597-verification.dfy.expect | 4 +++-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/Test/git-issues/git-issue-2597-verification.dfy b/Test/git-issues/git-issue-2597-verification.dfy
index a7b8b2b4094..a216292e8e7 100644
--- a/Test/git-issues/git-issue-2597-verification.dfy
+++ b/Test/git-issues/git-issue-2597-verification.dfy
@@ -102,7 +102,7 @@ class C {
     data := 100;
 
     var arr := new int[100](i => 8);
-/*    forall i | 0 <= i < arr.Length
+    forall i | 0 <= i < arr.Length
       ensures arr[i] == old(5 +
         calc {
           0;
@@ -114,7 +114,7 @@ class C {
         data)
     {
     }
-*/
+
     for i := 0 to arr.Length
       invariant forall j :: 0 <= j < i ==> arr[j] == old(6 +
         calc {
diff --git a/Test/git-issues/git-issue-2597-verification.dfy.expect b/Test/git-issues/git-issue-2597-verification.dfy.expect
index 168faeb2014..e62f875297c 100644
--- a/Test/git-issues/git-issue-2597-verification.dfy.expect
+++ b/Test/git-issues/git-issue-2597-verification.dfy.expect
@@ -11,9 +11,11 @@ git-issue-2597-verification.dfy(77,27): Error: assertion might not hold
 git-issue-2597-verification.dfy(84,32): Error: assertion might not hold
 git-issue-2597-verification.dfy(97,18): Error: A precondition for this call might not hold.
 git-issue-2597-verification.dfy(8,18): Related location: This is the precondition that might not hold.
+git-issue-2597-verification.dfy(111,20): Error: A precondition for this call might not hold.
+git-issue-2597-verification.dfy(8,18): Related location: This is the precondition that might not hold.
 git-issue-2597-verification.dfy(124,20): Error: A precondition for this call might not hold.
 git-issue-2597-verification.dfy(8,18): Related location: This is the precondition that might not hold.
 git-issue-2597-verification.dfy(133,20): Error: A precondition for this call might not hold.
 git-issue-2597-verification.dfy(8,18): Related location: This is the precondition that might not hold.
 
-Dafny program verifier finished with 1 verified, 10 errors
+Dafny program verifier finished with 1 verified, 11 errors

From 5395c688067f2c6d3b76614466ada44fc05222ea Mon Sep 17 00:00:00 2001
From: Rustan Leino <leino@amazon.com>
Date: Wed, 17 Aug 2022 12:14:30 -0700
Subject: [PATCH 08/15] Add release notes

---
 RELEASE_NOTES.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
index 3ca0ce678e6..b0461e372df 100644
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -17,6 +17,7 @@
 - feat: `predicate P(x: int): (y: bool) ...` is now valid syntax (https://github.com/dafny-lang/dafny/pull/2454)
 - fix: Improve the performance of proofs involving bit vector shifts (https://github.com/dafny-lang/dafny/pull/2520)
 - fix: Perform well-definedness checks for ensures clauses of forall statements (https://github.com/dafny-lang/dafny/pull/2606)
+- fix: Resolution and verification of StmtExpr now pay attention to if the StmtExpr is inside an 'old' (https://github.com/dafny-lang/dafny/issues/2597)
 
 # 3.7.3
 

From e329d6a77a6a9eb4429626fa8cf193da7c5e0dc7 Mon Sep 17 00:00:00 2001
From: Rustan Leino <leino@amazon.com>
Date: Wed, 17 Aug 2022 15:20:37 -0700
Subject: [PATCH 09/15] Adjusts tests and answers

---
 Test/allocated1/dafny0/Simple.dfy.expect      |  1 +
 Test/allocated1/dafny0/SmallTests.dfy.expect  |  2 ++
 .../dafny0/Twostate-Verification.dfy.expect   |  1 +
 Test/dafny0/TypeMembers.dfy                   |  2 +-
 Test/dafny0/TypeMembers.dfy.expect            |  1 +
 Test/git-issues/git-issue-1163.dfy            |  2 +-
 Test/git-issues/git-issue-1163.dfy.expect     |  1 +
 Test/refman/Example-Old.dfy.expect            |  3 ++
 Test/refman/Example-Old3.dfy.expect           |  1 +
 Test/traits/TraitOverride2.dfy                |  4 ---
 Test/traits/TraitOverride2.dfy.expect         |  2 +-
 ...ping-is-hard-to-decide-modulo-equality.dfy |  2 +-
 .../old-is-a-special-case-for-triggers.dfy    | 29 ++++++++++++++----
 ...-is-a-special-case-for-triggers.dfy.expect | 30 ++++++++++++++++++-
 14 files changed, 67 insertions(+), 14 deletions(-)

diff --git a/Test/allocated1/dafny0/Simple.dfy.expect b/Test/allocated1/dafny0/Simple.dfy.expect
index cc2d0771b18..a37b202e128 100644
--- a/Test/allocated1/dafny0/Simple.dfy.expect
+++ b/Test/allocated1/dafny0/Simple.dfy.expect
@@ -105,5 +105,6 @@ module B refines A {
     ...;
   }
 }
+Simple.dfy(14,12): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
 
 Dafny program verifier did not attempt verification
diff --git a/Test/allocated1/dafny0/SmallTests.dfy.expect b/Test/allocated1/dafny0/SmallTests.dfy.expect
index c4572b29a50..75916a8983c 100644
--- a/Test/allocated1/dafny0/SmallTests.dfy.expect
+++ b/Test/allocated1/dafny0/SmallTests.dfy.expect
@@ -1,4 +1,5 @@
 SmallTests.dfy(548,4): Warning: /!\ No trigger covering all quantified variables found.
+SmallTests.dfy(599,12): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
 SmallTests.dfy(34,11): Error: index out of range
 SmallTests.dfy(65,35): Error: possible division by zero
 SmallTests.dfy(66,50): Error: possible division by zero
@@ -52,5 +53,6 @@ SmallTests.dfy(716,8): Error: cannot establish the existence of LHS values that
 
 Dafny program verifier finished with 51 verified, 46 errors
 SmallTests.dfy.tmp.dprint.dfy(450,4): Warning: /!\ No trigger covering all quantified variables found.
+SmallTests.dfy.tmp.dprint.dfy(740,12): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
 
 Dafny program verifier did not attempt verification
diff --git a/Test/allocated1/dafny0/Twostate-Verification.dfy.expect b/Test/allocated1/dafny0/Twostate-Verification.dfy.expect
index 4f8fa950122..1489e0b60cb 100644
--- a/Test/allocated1/dafny0/Twostate-Verification.dfy.expect
+++ b/Test/allocated1/dafny0/Twostate-Verification.dfy.expect
@@ -1,3 +1,4 @@
+Twostate-Verification.dfy(34,13): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
 Twostate-Verification.dfy(39,26): Error: target object might not be allocated
 Twostate-Verification.dfy(44,34): Error: target object might not be allocated
 Twostate-Verification.dfy(60,26): Error: target object might not be allocated
diff --git a/Test/dafny0/TypeMembers.dfy b/Test/dafny0/TypeMembers.dfy
index f10f5a9ce47..0249e7edfb2 100644
--- a/Test/dafny0/TypeMembers.dfy
+++ b/Test/dafny0/TypeMembers.dfy
@@ -112,7 +112,7 @@ datatype Dt<A> = Blue | Bucket(diameter: real) | Business(trendy: bool, a: A)
   static method P(x: int) returns (y: int) {
     y := x + g;
   }
-  twostate predicate Toop() { old(this) == this }
+  twostate predicate Toop() { old(this) == this } // warning: old has no effect
   twostate lemma Tool() { }
   least predicate IndP() { true }
   greatest predicate CoP() { true }
diff --git a/Test/dafny0/TypeMembers.dfy.expect b/Test/dafny0/TypeMembers.dfy.expect
index 6967cc6d1f6..4ae15093915 100644
--- a/Test/dafny0/TypeMembers.dfy.expect
+++ b/Test/dafny0/TypeMembers.dfy.expect
@@ -1,3 +1,4 @@
+TypeMembers.dfy(115,30): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
 
 Dafny program verifier finished with 29 verified, 0 errors
 DaTy.Yes 10 26
diff --git a/Test/git-issues/git-issue-1163.dfy b/Test/git-issues/git-issue-1163.dfy
index 9bb2dd9cdfa..b747ae32c58 100644
--- a/Test/git-issues/git-issue-1163.dfy
+++ b/Test/git-issues/git-issue-1163.dfy
@@ -4,7 +4,7 @@
 function F(i: int): int
 
 method M() {
-  ghost var f := old(i => F(i));  // the translation of this once had crashed the verifier
+  ghost var f := old(i => F(i));  // the translation of this once had crashed the verifier (warning: old has no effect)
 }
 
 class MyClass {
diff --git a/Test/git-issues/git-issue-1163.dfy.expect b/Test/git-issues/git-issue-1163.dfy.expect
index 081e4dbdad7..3f619a04c07 100644
--- a/Test/git-issues/git-issue-1163.dfy.expect
+++ b/Test/git-issues/git-issue-1163.dfy.expect
@@ -1,3 +1,4 @@
+git-issue-1163.dfy(7,17): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
 git-issue-1163.dfy(21,42): Error: receiver argument might not be allocated in the state in which the function is invoked
 git-issue-1163.dfy(23,44): Error: argument might not be allocated in the state in which the function is invoked
 git-issue-1163.dfy(27,40): Error: receiver argument might not be allocated in the state in which the function is invoked
diff --git a/Test/refman/Example-Old.dfy.expect b/Test/refman/Example-Old.dfy.expect
index 823a60a105c..a4fdc907b7e 100644
--- a/Test/refman/Example-Old.dfy.expect
+++ b/Test/refman/Example-Old.dfy.expect
@@ -1,2 +1,5 @@
+Example-Old.dfy(16,11): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+Example-Old.dfy(17,11): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+Example-Old.dfy(18,11): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
 
 Dafny program verifier finished with 1 verified, 0 errors
diff --git a/Test/refman/Example-Old3.dfy.expect b/Test/refman/Example-Old3.dfy.expect
index ebe2328e072..c6d44b46b7b 100644
--- a/Test/refman/Example-Old3.dfy.expect
+++ b/Test/refman/Example-Old3.dfy.expect
@@ -1,2 +1,3 @@
+Example-Old3.dfy(18,11): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
 
 Dafny program verifier finished with 2 verified, 0 errors
diff --git a/Test/traits/TraitOverride2.dfy b/Test/traits/TraitOverride2.dfy
index 1cb04f46272..41ca3e82bc4 100644
--- a/Test/traits/TraitOverride2.dfy
+++ b/Test/traits/TraitOverride2.dfy
@@ -16,7 +16,6 @@ trait Spec<U> {
     requires Valid()
     modifies Repr
     ensures Valid()
-    ensures Repr == old(Repr)
     decreases Repr
 }
 
@@ -46,7 +45,6 @@ class Impl<T> extends Spec<T> {
     requires Valid()
     modifies Repr
     ensures Valid()
-    ensures Repr == old(Repr)
     decreases Repr
   {
     if done || hasFailed {
@@ -82,7 +80,6 @@ class AnotherImpl<T> extends Spec<seq<T>> {
     requires Valid()
     modifies Repr
     ensures Valid()
-    ensures Repr == old(Repr)
     decreases Repr
   { }
 }
@@ -106,6 +103,5 @@ class FixedImpl extends Spec<int> {
     requires Valid()
     modifies Repr
     ensures Valid()
-    ensures Repr == old(Repr)
     decreases Repr
 }
diff --git a/Test/traits/TraitOverride2.dfy.expect b/Test/traits/TraitOverride2.dfy.expect
index 842d05da0e6..4bb1c2c7251 100644
--- a/Test/traits/TraitOverride2.dfy.expect
+++ b/Test/traits/TraitOverride2.dfy.expect
@@ -1,2 +1,2 @@
 
-Dafny program verifier finished with 20 verified, 0 errors
+Dafny program verifier finished with 18 verified, 0 errors
diff --git a/Test/triggers/looping-is-hard-to-decide-modulo-equality.dfy b/Test/triggers/looping-is-hard-to-decide-modulo-equality.dfy
index 161e9c4940a..a21cfa29a4b 100644
--- a/Test/triggers/looping-is-hard-to-decide-modulo-equality.dfy
+++ b/Test/triggers/looping-is-hard-to-decide-modulo-equality.dfy
@@ -12,7 +12,7 @@
 // experiences could cause a change of mind.
 
 class C { }
-function f(c: C): C
+function f(c: C): C reads c
 function g(c: C): C
 function h(c: C, i: int): C
 
diff --git a/Test/triggers/old-is-a-special-case-for-triggers.dfy b/Test/triggers/old-is-a-special-case-for-triggers.dfy
index fd537f4d82e..98cafb29c19 100644
--- a/Test/triggers/old-is-a-special-case-for-triggers.dfy
+++ b/Test/triggers/old-is-a-special-case-for-triggers.dfy
@@ -12,21 +12,40 @@ function h(c: C, i: int): C
 
 method M(sc: set<C>)
   // Ensure that old(c) does not get picked as a trigger
-  ensures forall c | c in sc :: true || c == old(f(c))
+  ensures forall c | c in sc :: true || c == old(f(c)) // warning: old has no effect
 
   // This checks whether loop detection handles `old` expressions properly.
   // In the first one f(c)/old(f(f(c))) is not reported as a loop. See
   // looping-is-hard-to-decide-modulo-equalities.dfy for an explanation.
-  ensures forall c | c in sc :: true || f(c) == old(f(f(c)))
-  ensures forall c | c in sc :: true || old(f(f(c))) == old(g(f(c))) || old(f(g(c))) == g(f(c)) || f(g(c)) == g(f(c))
+  ensures forall c | c in sc :: true || f(c) == old(f(f(c))) // warning: old has no effect
+  ensures forall c | c in sc :: true || old(f(f(c))) == old(g(f(c))) || old(f(g(c))) == g(f(c)) || f(g(c)) == g(f(c)) // warning (x3): old has no effect
 
   // These check that the final trigger filtering step doesn't get confused
   // between old expressions and regular expressions.
-  ensures forall c | c in sc :: true || f(c) == old(g(f(c)))
-  ensures forall c | c in sc :: true || f(c) == old(f(c)) || old(g(f(c))) == g(f(c))
+  ensures forall c | c in sc :: true || f(c) == old(g(f(c))) // warning: old has no effect
+  ensures forall c | c in sc :: true || f(c) == old(f(c)) || old(g(f(c))) == g(f(c)) // warning (x2): old has no effect
 
   // WISH: A Dafny rewriter could cleanup expressions so that adding the
   //       expression forall c :: c == old(c) in a quantifier would cause a warning,
   //       instead of a trigger generation error as it does now.
 {
 }
+
+function ff(c: C): C reads c
+
+method MM(sc: set<C>)
+  // Ensure that old(c) does not get picked as a trigger
+  ensures forall c | c in sc :: true || c == old(ff(c))
+
+  // This checks whether loop detection handles `old` expressions properly.
+  // In the first one ff(c)/old(ff(ff(c))) is not reported as a loop. See
+  // looping-is-hard-to-decide-modulo-equalities.dfy for an explanation.
+  ensures forall c | c in sc :: true || ff(c) == old(ff(ff(c)))
+  ensures forall c | c in sc :: true || old(ff(ff(c))) == old(g(ff(c))) || old(ff(g(c))) == g(ff(c)) || ff(g(c)) == g(ff(c))
+
+  // These check that the final trigger filtering step doesn't get confused
+  // between old expressions and regular expressions.
+  ensures forall c | c in sc :: true || ff(c) == old(g(ff(c)))
+  ensures forall c | c in sc :: true || ff(c) == old(ff(c)) || old(g(ff(c))) == g(ff(c))
+{
+}
diff --git a/Test/triggers/old-is-a-special-case-for-triggers.dfy.expect b/Test/triggers/old-is-a-special-case-for-triggers.dfy.expect
index 8399e6be6ce..f86863bf654 100644
--- a/Test/triggers/old-is-a-special-case-for-triggers.dfy.expect
+++ b/Test/triggers/old-is-a-special-case-for-triggers.dfy.expect
@@ -18,5 +18,33 @@ old-is-a-special-case-for-triggers.dfy(26,10): Info: Selected triggers:
  Rejected triggers:
    {g(f(c))} (more specific than {f(c)})
    {old(g(f(c)))} (more specific than {old(f(c))})
+old-is-a-special-case-for-triggers.dfy(38,10): Info: Selected triggers:
+   {old(ff(c))}, {c in sc}
+old-is-a-special-case-for-triggers.dfy(43,10): Info: Selected triggers:
+   {old(ff(ff(c)))}, {ff(c)}, {c in sc}
+ Rejected triggers: {old(ff(c))} (may loop with "old(ff(ff(c)))")
+old-is-a-special-case-for-triggers.dfy(44,10): Info: Selected triggers:
+   {ff(g(c))}, {g(ff(c))}, {old(ff(g(c)))}, {old(g(ff(c)))}, {old(ff(ff(c)))}, {c in sc}
+ Rejected triggers:
+   {g(c)} (may loop with "g(ff(c))")
+   {ff(c)} (may loop with "ff(g(c))")
+   {old(g(c))} (may loop with "old(g(ff(c)))")
+   {old(ff(c))} (may loop with "old(ff(ff(c)))", "old(ff(g(c)))")
+old-is-a-special-case-for-triggers.dfy(48,10): Info: Selected triggers:
+   {old(ff(c))}, {ff(c)}, {c in sc}
+ Rejected triggers: {old(g(ff(c)))} (more specific than {old(ff(c))})
+old-is-a-special-case-for-triggers.dfy(49,10): Info: Selected triggers:
+   {old(ff(c))}, {ff(c)}, {c in sc}
+ Rejected triggers:
+   {g(ff(c))} (more specific than {ff(c)})
+   {old(g(ff(c)))} (more specific than {old(ff(c))})
+old-is-a-special-case-for-triggers.dfy(15,45): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+old-is-a-special-case-for-triggers.dfy(20,48): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+old-is-a-special-case-for-triggers.dfy(21,40): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+old-is-a-special-case-for-triggers.dfy(21,56): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+old-is-a-special-case-for-triggers.dfy(21,72): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+old-is-a-special-case-for-triggers.dfy(25,48): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+old-is-a-special-case-for-triggers.dfy(26,48): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+old-is-a-special-case-for-triggers.dfy(26,61): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
 
-Dafny program verifier finished with 2 verified, 0 errors
+Dafny program verifier finished with 4 verified, 0 errors

From 1d6b5f7cd35700cfd8b23aa4b7670ec627137609 Mon Sep 17 00:00:00 2001
From: Rustan Leino <leino@amazon.com>
Date: Wed, 17 Aug 2022 15:23:15 -0700
Subject: [PATCH 10/15] Add method to iterate over all expressions, even those
 in substatements

---
 Source/Dafny/AST/DafnyAst.cs          | 18 ++++++++++++++
 Source/Dafny/AST/FreeVariablesUtil.cs | 18 ++++++++++----
 Source/Dafny/Linter.cs                |  2 +-
 Source/Dafny/Verifier/Translator.cs   |  6 ++---
 Test/git-issues/git-issue-1989.dfy    | 34 ++++++++++++++++++---------
 5 files changed, 58 insertions(+), 20 deletions(-)

diff --git a/Source/Dafny/AST/DafnyAst.cs b/Source/Dafny/AST/DafnyAst.cs
index e08830d72b5..2eab11a86b8 100644
--- a/Source/Dafny/AST/DafnyAst.cs
+++ b/Source/Dafny/AST/DafnyAst.cs
@@ -6711,6 +6711,24 @@ public Statement(IToken tok, IToken endTok)
       Contract.Requires(endTok != null);
     }
 
+    /// <summary>
+    /// Returns the non-null expressions of this statement proper (that is, do not include the expressions of substatements).
+    /// Filters all sub expressions that are not part of specifications
+    /// </summary>
+    public IEnumerable<Expression> SubExpressionsIncludingTransitiveSubStatements {
+      get {
+        foreach (var e in SubExpressions) {
+          yield return e;
+        }
+
+        foreach (var s in SubStatements) {
+          foreach (var e in s.SubExpressionsIncludingTransitiveSubStatements) {
+            yield return e;
+          }
+        }
+      }
+    }
+
     /// <summary>
     /// Returns the non-null substatements of the Statements.
     /// </summary>
diff --git a/Source/Dafny/AST/FreeVariablesUtil.cs b/Source/Dafny/AST/FreeVariablesUtil.cs
index bc0a4ef9229..6f8fd670124 100644
--- a/Source/Dafny/AST/FreeVariablesUtil.cs
+++ b/Source/Dafny/AST/FreeVariablesUtil.cs
@@ -35,17 +35,20 @@ public static void ComputeFreeVariables(Expression expr, ISet<IVariable> fvs) {
       bool dontCare0 = false, dontCare1 = false;
       Type dontCareT = null;
       var dontCareHeapAt = new HashSet<Label>();
-      ComputeFreeVariables(expr, fvs, ref dontCare0, ref dontCare1, dontCareHeapAt, ref dontCareT);
+      ComputeFreeVariables(expr, fvs, ref dontCare0, ref dontCare1, dontCareHeapAt, ref dontCareT, false);
     }
-    public static void ComputeFreeVariables(Expression expr, ISet<IVariable> fvs, ref bool usesHeap) {
+    public static void ComputeFreeVariables(Expression expr, ISet<IVariable> fvs, ref bool usesHeap, bool includeStatements = false) {
       Contract.Requires(expr != null);
       Contract.Requires(fvs != null);
       bool dontCare1 = false;
       Type dontCareT = null;
       var dontCareHeapAt = new HashSet<Label>();
-      ComputeFreeVariables(expr, fvs, ref usesHeap, ref dontCare1, dontCareHeapAt, ref dontCareT);
+      ComputeFreeVariables(expr, fvs, ref usesHeap, ref dontCare1, dontCareHeapAt, ref dontCareT, includeStatements);
     }
-    public static void ComputeFreeVariables(Expression expr, ISet<IVariable> fvs, ref bool usesHeap, ref bool usesOldHeap, ISet<Label> freeHeapAtVariables, ref Type usesThis) {
+    public static void ComputeFreeVariables(Expression expr,
+      ISet<IVariable> fvs,
+      ref bool usesHeap, ref bool usesOldHeap, ISet<Label> freeHeapAtVariables, ref Type usesThis,
+      bool includeStatements) {
       Contract.Requires(expr != null);
 
       if (expr is ThisExpr) {
@@ -113,8 +116,13 @@ public static void ComputeFreeVariables(Expression expr, ISet<IVariable> fvs, re
       // visit subexpressions
       bool uHeap = false, uOldHeap = false;
       Type uThis = null;
+      if (expr is StmtExpr stmtExpr && includeStatements) {
+        foreach (var subExpression in stmtExpr.S.SubExpressionsIncludingTransitiveSubStatements) {
+          ComputeFreeVariables(subExpression, fvs, ref uHeap, ref uOldHeap, freeHeapAtVariables, ref uThis, includeStatements);
+        }
+      }
       foreach (var subExpression in expr.SubExpressions) {
-        ComputeFreeVariables(subExpression, fvs, ref uHeap, ref uOldHeap, freeHeapAtVariables, ref uThis);
+        ComputeFreeVariables(subExpression, fvs, ref uHeap, ref uOldHeap, freeHeapAtVariables, ref uThis, includeStatements);
       }
       Contract.Assert(usesThis == null || uThis == null || usesThis.Equals(uThis));
       usesThis = usesThis ?? uThis;
diff --git a/Source/Dafny/Linter.cs b/Source/Dafny/Linter.cs
index e480c16205f..39b5ba28e4c 100644
--- a/Source/Dafny/Linter.cs
+++ b/Source/Dafny/Linter.cs
@@ -39,7 +39,7 @@ protected override bool VisitOneExpr(Expression expr, ref Unit st) {
       if (expr is OldExpr oldExpr && !AutoGeneratedToken.Is(oldExpr.tok)) {
         var fvs = new HashSet<IVariable>();
         var usesHeap = false;
-        FreeVariablesUtil.ComputeFreeVariables(oldExpr.E, fvs, ref usesHeap);
+        FreeVariablesUtil.ComputeFreeVariables(oldExpr.E, fvs, ref usesHeap, true);
         if (!usesHeap) {
           this.reporter.Warning(MessageSource.Rewriter, oldExpr.tok,
             $"Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect");
diff --git a/Source/Dafny/Verifier/Translator.cs b/Source/Dafny/Verifier/Translator.cs
index fab0df0f4b3..ef327005265 100644
--- a/Source/Dafny/Verifier/Translator.cs
+++ b/Source/Dafny/Verifier/Translator.cs
@@ -1968,7 +1968,7 @@ void AddFunctionAxiom(Bpl.Function boogieFunction, Function f, Expression body)
         bool dontCare0 = false, dontCare1 = false;
         var dontCareHeapAt = new HashSet<Label>();
         foreach (var e in f.Decreases.Expressions) {
-          FreeVariablesUtil.ComputeFreeVariables(e, FVs, ref dontCare0, ref dontCare1, dontCareHeapAt, ref usesThis);
+          FreeVariablesUtil.ComputeFreeVariables(e, FVs, ref dontCare0, ref dontCare1, dontCareHeapAt, ref usesThis, false);
         }
 
         var allFormals = new List<Formal>();
@@ -10391,7 +10391,7 @@ Expression LetDesugaring(LetExpr e) {
             bool usesHeap = false, usesOldHeap = false;
             var FVsHeapAt = new HashSet<Label>();
             Type usesThis = null;
-            FreeVariablesUtil.ComputeFreeVariables(e.RHSs[0], FVs, ref usesHeap, ref usesOldHeap, FVsHeapAt, ref usesThis);
+            FreeVariablesUtil.ComputeFreeVariables(e.RHSs[0], FVs, ref usesHeap, ref usesOldHeap, FVsHeapAt, ref usesThis, false);
             var FTVs = new HashSet<TypeParameter>();
             foreach (var bv in e.BoundVars) {
               FVs.Remove(bv);
@@ -11828,7 +11828,7 @@ public static bool UsesHeap(Expression expr) {
       bool usesHeap = false, usesOldHeap = false;
       var FVsHeapAt = new HashSet<Label>();
       Type usesThis = null;
-      FreeVariablesUtil.ComputeFreeVariables(expr, new HashSet<IVariable>(), ref usesHeap, ref usesOldHeap, FVsHeapAt, ref usesThis);
+      FreeVariablesUtil.ComputeFreeVariables(expr, new HashSet<IVariable>(), ref usesHeap, ref usesOldHeap, FVsHeapAt, ref usesThis, false);
       return usesHeap || usesOldHeap || FVsHeapAt.Count != 0;
     }
 
diff --git a/Test/git-issues/git-issue-1989.dfy b/Test/git-issues/git-issue-1989.dfy
index 83f740f3625..aa1e1b3f318 100644
--- a/Test/git-issues/git-issue-1989.dfy
+++ b/Test/git-issues/git-issue-1989.dfy
@@ -86,7 +86,7 @@ class D {
 
   method TestFields()
     ensures data == old(data)
-    ensures N == old(N) // warning: old has no effect
+    ensures N == old(N) // warning: old has no effect, since N is const
   {
   }
 
@@ -132,6 +132,11 @@ class D {
   }
 }
 
+
+lemma StaticLemmaWithoutPrecondition(y: int)
+{
+}
+
 // ---------------------------------------
 
 method StmtExpr(d: D)
@@ -163,27 +168,33 @@ method CalcStmtExpr(d: D)
   d.data := 100;
   if {
   case true =>
-    a := old(calc { } 10); // warning: old has no effect (but this is hard to determine)
+    a := old(calc { } 10); // warning: old has no effect
   case true =>
-    a := old(calc { // this old does have an an effect (but this is hard to determine)
+    a := old(calc {
       2;
     ==  { assert d.data == 3; }
       2;
     } 10);
   case true =>
-    a := old(calc { // this old does have an an effect (but this is hard to determine)
+    a := old(calc {
       2;
     ==  { assert d.data == 100; } // error: assertion violation
       2;
     } 10);
   case true =>
-    a := old(calc { // this old does have an an effect (but this is hard to determine)
+    a := old(calc {
       2;
     ==  { d.Lemma(3); }
       2;
     } 10);
   case true =>
-    a := old(calc { // this old does have an an effect (but this is hard to determine)
+    a := old(calc {
+      2;
+    ==  { StaticLemmaWithoutPrecondition(3); }
+      2;
+    } 10);
+  case true =>
+    a := old(calc {
       2;
     ==  { d.Lemma(100); } // error: precondition violation
       2;
@@ -193,30 +204,31 @@ method CalcStmtExpr(d: D)
 
 twostate function CalcStmtExprFunction(d: D, selector: int): int
   requires old(d.data) == 3 && d.data == 100
+  reads d
 {
   match selector
   case 0 =>
-    old(calc { } 10) // warning: old has no effect (but this is hard to determine)
+    old(calc { } 10) // warning: old has no effect
   case 1 =>
-    old(calc { // this old does have an an effect (but this is hard to determine)
+    old(calc {
       2;
     ==  { assert d.data == 3; }
       2;
     } 10)
   case 2 =>
-    old(calc { // this old does have an an effect (but this is hard to determine)
+    old(calc {
       2;
     ==  { assert d.data == 100; } // error: assertion violation
       2;
     } 10)
   case 3 =>
-    old(calc { // this old does have an an effect (but this is hard to determine)
+    old(calc {
       2;
     ==  { d.Lemma(3); }
       2;
     } 10)
   case 4 =>
-    old(calc { // this old does have an an effect (but this is hard to determine)
+    old(calc {
       2;
     ==  { d.Lemma(100); } // error: precondition violation
       2;

From 0434f908c505167c1eb5e16c67af6507fee87699 Mon Sep 17 00:00:00 2001
From: Rustan Leino <leino@amazon.com>
Date: Wed, 17 Aug 2022 15:33:04 -0700
Subject: [PATCH 11/15] Update concurrency tests

---
 Test/concurrency/12-MutexLifetime-long.dfy         | 7 ++-----
 Test/concurrency/12-MutexLifetime-short.dfy        | 7 ++-----
 Test/concurrency/12-MutexLifetime-short.dfy.expect | 2 +-
 3 files changed, 5 insertions(+), 11 deletions(-)

diff --git a/Test/concurrency/12-MutexLifetime-long.dfy b/Test/concurrency/12-MutexLifetime-long.dfy
index 5662b23d4f4..7139e39f28c 100644
--- a/Test/concurrency/12-MutexLifetime-long.dfy
+++ b/Test/concurrency/12-MutexLifetime-long.dfy
@@ -437,7 +437,6 @@ trait OwnedObject extends Object {
 
   twostate predicate unchangedNonvolatileFields() reads this {
     && old(owner) == owner
-    && old(lifetime) == lifetime
     && unchangedNonvolatileUserFields()
   }
 
@@ -454,7 +453,6 @@ trait OwnedObject extends Object {
 
   twostate predicate localInv2() reads * {
     && (owner != null ==> localUserInv2())
-    && old(lifetime) == lifetime
   }
 
   twostate predicate sequenceInv2() reads * {
@@ -690,8 +688,7 @@ class OutlivesClaim extends OwnedObject {
   function objectUserFields(): set<Object> reads this { { source, target } }
 
   twostate predicate unchangedNonvolatileUserFields() reads this {
-    && old(target) == target
-    && old(source) == source
+    true
   }
 
   predicate localUserInv() reads * {
@@ -699,7 +696,7 @@ class OutlivesClaim extends OwnedObject {
     && universe.outlives(target, source)
   }
   predicate userInv() reads * ensures userInv() ==> localUserInv() { localUserInv() }
-  twostate predicate localUserInv2() reads * { old(target) == target && old(source) == source }
+  twostate predicate localUserInv2() reads * { true }
   twostate predicate userInv2() reads * ensures userInv2() ==> localUserInv2() { localUserInv2() }
 
   twostate lemma sequenceAdmissibility(running: set<Thread>) requires goodPreAndLegalChangesSequence(running) ensures sequenceInv2() {}
diff --git a/Test/concurrency/12-MutexLifetime-short.dfy b/Test/concurrency/12-MutexLifetime-short.dfy
index c4712c741bd..cb1b97ccbf6 100644
--- a/Test/concurrency/12-MutexLifetime-short.dfy
+++ b/Test/concurrency/12-MutexLifetime-short.dfy
@@ -436,7 +436,6 @@ trait OwnedObject extends Object {
 
   twostate predicate unchangedNonvolatileFields() reads this {
     && old(owner) == owner
-    && old(lifetime) == lifetime
     && unchangedNonvolatileUserFields()
   }
 
@@ -453,7 +452,6 @@ trait OwnedObject extends Object {
 
   twostate predicate localInv2() reads * {
     && (owner != null ==> localUserInv2())
-    && old(lifetime) == lifetime
   }
 
   twostate predicate sequenceInv2() reads * {
@@ -689,8 +687,7 @@ class OutlivesClaim extends OwnedObject {
   function objectUserFields(): set<Object> reads this { { source, target } }
 
   twostate predicate unchangedNonvolatileUserFields() reads this {
-    && old(target) == target
-    && old(source) == source
+    true
   }
 
   predicate localUserInv() reads * {
@@ -698,7 +695,7 @@ class OutlivesClaim extends OwnedObject {
     && universe.outlives(target, source)
   }
   predicate userInv() reads * ensures userInv() ==> localUserInv() { localUserInv() }
-  twostate predicate localUserInv2() reads * { old(target) == target && old(source) == source }
+  twostate predicate localUserInv2() reads * { true }
   twostate predicate userInv2() reads * ensures userInv2() ==> localUserInv2() { localUserInv2() }
 
   twostate lemma sequenceAdmissibility(running: set<Thread>) requires goodPreAndLegalChangesSequence(running) ensures sequenceInv2() {}
diff --git a/Test/concurrency/12-MutexLifetime-short.dfy.expect b/Test/concurrency/12-MutexLifetime-short.dfy.expect
index 03005235cbc..5762072e289 100644
--- a/Test/concurrency/12-MutexLifetime-short.dfy.expect
+++ b/Test/concurrency/12-MutexLifetime-short.dfy.expect
@@ -1,2 +1,2 @@
 
-Dafny program verifier finished with 204 verified, 0 errors
+Dafny program verifier finished with 202 verified, 0 errors

From 32167433b945763742e2a16a5415e8dc4657ff23 Mon Sep 17 00:00:00 2001
From: Rustan Leino <leino@amazon.com>
Date: Wed, 17 Aug 2022 15:34:03 -0700
Subject: [PATCH 12/15] Update release notes

---
 RELEASE_NOTES.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
index b0461e372df..83c27a5e731 100644
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -18,6 +18,7 @@
 - fix: Improve the performance of proofs involving bit vector shifts (https://github.com/dafny-lang/dafny/pull/2520)
 - fix: Perform well-definedness checks for ensures clauses of forall statements (https://github.com/dafny-lang/dafny/pull/2606)
 - fix: Resolution and verification of StmtExpr now pay attention to if the StmtExpr is inside an 'old' (https://github.com/dafny-lang/dafny/issues/2597)
+- feat: generate warning when 'old' has no effect
 
 # 3.7.3
 

From f4f26b607e4031fad5ab054c02b65410c899753b Mon Sep 17 00:00:00 2001
From: Rustan Leino <leino@amazon.com>
Date: Wed, 17 Aug 2022 15:35:19 -0700
Subject: [PATCH 13/15] Update release notes

---
 RELEASE_NOTES.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
index b0461e372df..1cca96ebca8 100644
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -17,7 +17,7 @@
 - feat: `predicate P(x: int): (y: bool) ...` is now valid syntax (https://github.com/dafny-lang/dafny/pull/2454)
 - fix: Improve the performance of proofs involving bit vector shifts (https://github.com/dafny-lang/dafny/pull/2520)
 - fix: Perform well-definedness checks for ensures clauses of forall statements (https://github.com/dafny-lang/dafny/pull/2606)
-- fix: Resolution and verification of StmtExpr now pay attention to if the StmtExpr is inside an 'old' (https://github.com/dafny-lang/dafny/issues/2597)
+- fix: Resolution and verification of StmtExpr now pay attention to if the StmtExpr is inside an 'old' (https://github.com/dafny-lang/dafny/pull/2607)
 
 # 3.7.3
 

From 5651f8680b29769c33be58013a58bfec6424ee66 Mon Sep 17 00:00:00 2001
From: Rustan Leino <leino@amazon.com>
Date: Wed, 24 Aug 2022 09:47:34 -0700
Subject: [PATCH 14/15] Add .expect file

---
 Test/git-issues/git-issue-1989.dfy.expect | 31 +++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 Test/git-issues/git-issue-1989.dfy.expect

diff --git a/Test/git-issues/git-issue-1989.dfy.expect b/Test/git-issues/git-issue-1989.dfy.expect
new file mode 100644
index 00000000000..d29adadafef
--- /dev/null
+++ b/Test/git-issues/git-issue-1989.dfy.expect
@@ -0,0 +1,31 @@
+git-issue-1989.dfy(22,31): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+git-issue-1989.dfy(89,17): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+git-issue-1989.dfy(97,20): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+git-issue-1989.dfy(98,22): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+git-issue-1989.dfy(124,23): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+git-issue-1989.dfy(125,28): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+git-issue-1989.dfy(49,7): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+git-issue-1989.dfy(50,7): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+git-issue-1989.dfy(51,7): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+git-issue-1989.dfy(52,7): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+git-issue-1989.dfy(67,30): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+git-issue-1989.dfy(70,29): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+git-issue-1989.dfy(70,29): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+git-issue-1989.dfy(70,51): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+git-issue-1989.dfy(158,18): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+git-issue-1989.dfy(160,23): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+git-issue-1989.dfy(171,9): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+git-issue-1989.dfy(211,4): Warning: Argument to 'old' does not dereference the mutable heap, so this use of 'old' has no effect
+git-issue-1989.dfy(126,2): Error: A postcondition might not hold on this return path.
+git-issue-1989.dfy(122,22): Related location: This is the postcondition that might not hold.
+git-issue-1989.dfy(150,23): Error: assertion might not hold
+git-issue-1989.dfy(156,20): Error: A precondition for this call might not hold.
+git-issue-1989.dfy(130,18): Related location: This is the precondition that might not hold.
+git-issue-1989.dfy(181,24): Error: assertion might not hold
+git-issue-1989.dfy(199,17): Error: A precondition for this call might not hold.
+git-issue-1989.dfy(130,18): Related location: This is the precondition that might not hold.
+git-issue-1989.dfy(221,24): Error: assertion might not hold
+git-issue-1989.dfy(233,17): Error: A precondition for this call might not hold.
+git-issue-1989.dfy(130,18): Related location: This is the precondition that might not hold.
+
+Dafny program verifier finished with 17 verified, 7 errors

From a526739994515500f3fd8592f5f62337744ca3eb Mon Sep 17 00:00:00 2001
From: Rustan Leino <leino@amazon.com>
Date: Thu, 1 Sep 2022 09:19:43 -0700
Subject: [PATCH 15/15] Rename Linter to something more specific

---
 Source/Dafny/Resolver.cs                        |  2 +-
 Source/Dafny/{Linter.cs => UselessOldLinter.cs} | 10 +++++-----
 2 files changed, 6 insertions(+), 6 deletions(-)
 rename Source/Dafny/{Linter.cs => UselessOldLinter.cs} (83%)

diff --git a/Source/Dafny/Resolver.cs b/Source/Dafny/Resolver.cs
index 230606a00e6..b3f95e3f6fa 100644
--- a/Source/Dafny/Resolver.cs
+++ b/Source/Dafny/Resolver.cs
@@ -441,7 +441,7 @@ public void ResolveProgram(Program prog) {
         rewriters.Add(new ConstructorWarning(reporter));
       }
 
-      rewriters.Add(new Linter(reporter));
+      rewriters.Add(new UselessOldLinter(reporter));
 
       foreach (var plugin in DafnyOptions.O.Plugins) {
         rewriters.AddRange(plugin.GetRewriters(reporter));
diff --git a/Source/Dafny/Linter.cs b/Source/Dafny/UselessOldLinter.cs
similarity index 83%
rename from Source/Dafny/Linter.cs
rename to Source/Dafny/UselessOldLinter.cs
index 39b5ba28e4c..3b509d66c33 100644
--- a/Source/Dafny/Linter.cs
+++ b/Source/Dafny/UselessOldLinter.cs
@@ -11,27 +11,27 @@
 
 namespace Microsoft.Dafny {
 
-  class Linter : IRewriter {
+  public class UselessOldLinter : IRewriter {
     internal override void PostResolve(Program program) {
       base.PostResolve(program);
       foreach (var moduleDefinition in program.Modules()) {
         foreach (var topLevelDecl in moduleDefinition.TopLevelDecls.OfType<TopLevelDeclWithMembers>()) {
           foreach (var callable in topLevelDecl.Members.OfType<ICallable>()) {
-            var visitor = new LinterVisitor(this.Reporter);
+            var visitor = new UselessOldLinterVisitor(this.Reporter);
             visitor.Visit(callable, Unit.Default);
           }
         }
       }
     }
 
-    public Linter(ErrorReporter reporter) : base(reporter) {
+    public UselessOldLinter(ErrorReporter reporter) : base(reporter) {
     }
   }
 
-  class LinterVisitor : TopDownVisitor<Unit> {
+  class UselessOldLinterVisitor : TopDownVisitor<Unit> {
     private readonly ErrorReporter reporter;
 
-    public LinterVisitor(ErrorReporter reporter) {
+    public UselessOldLinterVisitor(ErrorReporter reporter) {
       this.reporter = reporter;
     }